Clemens Lang
432cfa2baa
Allow disabling of SHA1 signatures
...
NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to
denying SHA1 signatures. On Fedora, the default is – for now – to allow
SHA1 signatures.
In order to phase out SHA1 signatures, introduce a new configuration
option in the alg_section named 'rh-allow-sha1-signatures'. This option
defaults to true. If set to false, any signature creation or
verification operations that involve SHA1 as digest will fail.
This also affects TLS, where the signature_algorithms extension of any
ClientHello message sent by OpenSSL will no longer include signatures
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
that request a client certificate, the same also applies for
CertificateRequest messages sent by them.
Resolves: rhbz#2070977
Related: rhbz#2031742, rhbz#2062640
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-07 18:14:04 +02:00
Dmitry Belyavskiy
a0bd929a42
Update to openssl 3.0.2
...
Related: rhbz#2064453
2022-03-18 10:41:13 +01:00
Fedora Release Engineering
b9f33d724e
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-20 22:29:33 +00:00
Sahana Prasad
347681c6b2
Rebase to upstream version 3.0.0
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-09-09 17:27:21 +02:00
Fedora Release Engineering
5de10d4810
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-22 17:20:55 +00:00
Sahana Prasad
0f5f931f9a
update to version 1.1.1k
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-03-26 07:37:03 +01:00
Sahana Prasad
b023ffe39f
Upgrade to version 1.1.1.j
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-03-03 15:08:11 +01:00
Sahana Prasad
fb8e66a58f
Fix regression in X509_verify_cert() #bz1916594
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-02-10 14:56:08 +01:00
Fedora Release Engineering
d34c6392bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-26 22:36:18 +00:00
Tom Stellard
c89aeae26c
Add BuildRequires: make
...
https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
2021-01-07 06:39:07 +00:00
Tomas Mraz
a07706cf0e
Update to the 1.1.1i release fixing CVE-2020-1971
2020-12-09 10:49:38 +01:00
Sahana Prasad
3413ff9700
Upgrade to version 1.1.1h
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2020-11-09 10:41:15 +01:00
Jakub Jelen
261f10a200
Do not ship in main package manuals (or aliases) to tools from perl subpackage
2020-10-23 10:06:51 +02:00
Fedora Release Engineering
7ae2c9cd85
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-28 12:48:57 +00:00
Tom Stellard
a75e581407
Use make macros
...
https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
2020-07-21 20:31:48 +00:00
Tomas Mraz
067d5800f2
Additional FIPS mode check for EC key generation
2020-07-20 14:51:05 +02:00
Tomas Mraz
04d5ef4d72
Further changes for SP 800-56A rev3 requirements
2020-07-17 12:41:39 +02:00
Tomas Mraz
7f27ca925c
Drop long ago obsolete part of the FIPS patch
2020-06-23 15:55:16 +02:00
Tomas Mraz
f023424321
Rewire FIPS_drbg API to use the RAND_DRBG
2020-06-22 13:43:12 +02:00
Tomas Mraz
ef93cf994d
SHA1 is allowed in @SECLEVEL=2 only if allowed by TLS SigAlgs configuration
...
Also some small TLS protocol fixes/changes:
Disallow dropping Extended Master Secret extension on renegotiation
Return alert from s_server if ALPN protocol does not match
2020-06-05 17:39:16 +02:00
Tomas Mraz
b9c80ecf85
Add FIPS selftest for PBKDF2 and KBKDF
...
Also more adjustments to the FIPS DH handling
2020-06-03 16:30:12 +02:00
Tomas Mraz
9833eff277
Use the well known DH groups in TLS
2020-05-26 09:28:42 +02:00
Tomas Mraz
8746bcba4c
Allow only well known DH groups in the FIPS mode
2020-05-25 18:52:45 +02:00
Adam Williamson
7396eb055e
Re-apply change from -2 now we have fixed nosync to work with it
2020-05-21 13:04:18 -07:00
Adam Williamson
87eaf879ac
Revert the change from -2 as it seems to cause segfaults
2020-05-19 18:35:16 -07:00
Tomas Mraz
1e6a98d9e9
pull some fixes and improvements from RHEL-8
2020-05-18 13:26:53 +02:00
Tomas Mraz
89a24d69fc
FIPS module installed state definition is modified
2020-05-15 17:45:44 +02:00
Tomas Mraz
5888d1863e
update to the 1.1.1g release
2020-04-23 13:47:52 +02:00
Tomas Mraz
5004ccfb25
update to the 1.1.1f release
2020-04-07 16:50:53 +02:00
Tomas Mraz
ea310218f3
revert the unexpected EOF error reporting change
...
it is too disruptive for the stable release branch
2020-03-26 15:14:08 +01:00
Tomas Mraz
c9936c55c2
Additional perl module buildrequires
2020-03-20 13:30:41 +01:00
Tomas Mraz
30d45eb047
Add BuildRequires perl(FindBin)
2020-03-20 12:44:34 +01:00
Tomas Mraz
c11b71fd2f
update to the 1.1.1e release
...
add selftest of the RAND_DRBG implementation
fix incorrect error return value from FIPS_selftest_dsa
2020-03-19 17:44:25 +01:00
Tomas Mraz
b9b156fb97
apply Intel CET support patches by hjl ( #1788699 )
2020-02-17 11:54:47 +01:00
Fedora Release Engineering
898af7893c
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-29 20:25:04 +00:00
Tomas Mraz
b8a97dc1d8
allow zero length parameters in KDF_CTX_ctrl()
2019-11-21 14:49:21 +01:00
Tomas Mraz
0536b721ef
backport of SSKDF from master
2019-11-14 16:13:49 +01:00
Tomas Mraz
266efa3055
backport of KBKDF and KRB5KDF from master
2019-11-13 13:43:05 +01:00
Tomas Mraz
f1c4ba61a3
Multiple fixes
...
re-enable the stitched AES-CBC-SHA implementations
make AES-GCM work in FIPS mode again
enable TLS-1.2 AES-CCM ciphers in FIPS mode
fix openssl speed errors in FIPS mode
2019-10-03 17:43:23 +02:00
Tomas Mraz
f6a62c4c2c
update to the 1.1.1d release
2019-09-13 17:25:44 +02:00
Tomas Mraz
c44b3f96fe
Bump release correctly
2019-09-06 17:18:46 +02:00
Tomas Mraz
45ebb7fdc2
upstream fix for status request extension non-compliance ( #1737471 )
2019-09-06 17:02:18 +02:00
Fedora Release Engineering
dba4c3b578
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-25 23:35:44 +00:00
Tomas Mraz
8419f769c7
Do not try to use EC groups disallowed in FIPS mode in TLS
...
Also fix Valgrind regression with constant-time code
2019-06-24 15:13:12 +02:00
Tomas Mraz
a71f5ae7ab
add upstream patch to defer sending KeyUpdate
...
(after pending writes are complete)
2019-06-03 16:05:45 +02:00
Tomas Mraz
4784e45765
fix use of uninitialized memory
2019-05-30 11:55:39 +02:00
Tomas Mraz
31d61b19d5
update to the 1.1.1c release
2019-05-29 17:23:31 +02:00
Tomas Mraz
b3060e5f2d
Another attempt at the AES-CCM regression fix
2019-05-10 16:27:24 +02:00
Tomas Mraz
22a821356e
Fix two small regressions
...
Change the ts application default hash to SHA256
2019-05-10 14:35:26 +02:00
Tomas Mraz
e18dcc63f4
FIPS compliance fixes
2019-05-07 10:30:26 +02:00
Tomas Mraz
569a3cb917
add S390x chacha20-poly1305 assembler support from master branch
2019-05-06 11:07:12 +02:00
Tomas Mraz
5c7382cd79
apply new bugfixes from upstream 1.1.1 branch
2019-05-03 11:15:37 +02:00
Tomas Mraz
1aaf4073e3
fix for BIO_get_mem_ptr() regression in 1.1.1b ( #1691853 )
2019-04-16 12:13:00 +02:00
Tomas Mraz
7a654fc69c
drop unused BuildRequires and Requires in the -devel subpackage
2019-03-27 17:00:40 +01:00
Tomas Mraz
c99b8bf7f9
fix regression in EVP_PBE_scrypt() ( #1688284 )
...
fix incorrect help message in ca app (#1553206 )
2019-03-15 16:05:02 +01:00
Tomas Mraz
e2ea1027fe
use .include = syntax in the config file
...
to allow it to be parsed by 1.0.2 version (#1668916 )
2019-03-01 08:58:32 +01:00
Tomas Mraz
5cda1ca091
update to the 1.1.1b release
...
EVP_KDF API backport from master
SSH KDF implementation for EVP_KDF API backport from master
2019-02-28 17:01:40 +01:00
Fedora Release Engineering
f565dfd7ec
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-02-01 17:32:16 +00:00
Igor Gnatenko
99d68c7f43
Remove obsolete Group tag
...
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:24:24 +01:00
Igor Gnatenko
5ee230264d
Remove obsolete ldconfig scriptlets
...
References: https://fedoraproject.org/wiki/Changes/RemoveObsoleteScriptlets
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2019-01-22 18:40:36 +01:00
Tomas Mraz
301c642c7f
update to the 1.1.1a release
2019-01-15 15:07:49 +01:00
Tomas Mraz
06bb120ffb
use /dev/urandom for seeding the RNG in FIPS POST
2018-11-09 15:46:42 +01:00
Tomas Mraz
68f387b1c4
fix SECLEVEL 3 support
...
fix some issues found in Coverity scan
2018-10-12 17:35:34 +02:00
Tomas Mraz
a985e4b118
Drop obsolete re-copying of headers.
2018-10-01 14:41:25 +02:00
Charalampos Stratakis
3bfe874268
Correctly invoke sed for defining OPENSSL_NO_SSL3
2018-09-27 20:49:10 +02:00
Tomas Mraz
8574fb5150
define OPENSSL_NO_SSL3 so the newly built dependencies do not
...
have access to SSL3 API calls anymore
2018-09-27 16:53:06 +02:00
Tomas Mraz
33bd389ea8
reinstate accidentally dropped patch for weak ciphersuites
2018-09-17 12:56:19 +02:00
Tomas Mraz
60efa7758e
Bump release
2018-09-14 10:57:22 +02:00
Tomas Mraz
1a7b91b472
for consistent support of security policies we build
...
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
2018-09-14 10:56:06 +02:00
Tomas Mraz
a4bf4e1b65
update to the final 1.1.1 version
2018-09-13 09:43:22 +02:00
Tomas Mraz
90121b0c9d
Multiple fixes
...
do not try to initialize RNG in cleanup if it was not initialized
before (#1624554 )
use only /dev/urandom if getrandom() is not available
disable SM4
2018-09-06 13:48:54 +02:00
Tomas Mraz
cfeae6fcb3
Two minor fixes
...
fix dangling symlinks to manual pages
make SSLv3_method work
2018-08-29 18:25:29 +02:00
Tomas Mraz
62ec0f1fa9
update to the latest 1.1.1 beta version
2018-08-22 12:41:26 +02:00
Tomas Mraz
1186311ade
bidirectional shutdown fixes from upstream
2018-08-13 16:03:04 +02:00
Tomas Mraz
f7a30f9a15
do not put error on stack when using fixed protocol version
...
(#1615098 )
2018-08-13 11:34:33 +02:00
Tomas Mraz
60357072e0
load crypto policy config file from the default config
2018-07-31 16:24:45 +02:00
Tomas Mraz
9189f03055
update to the latest 1.1.1 beta version
2018-07-25 18:15:19 +02:00
Fedora Release Engineering
7f74f219f1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-13 15:12:04 +00:00
Tomas Mraz
98bbad839c
fix FIPS RSA key generation failure
2018-06-19 16:05:15 +02:00
Tomas Mraz
357b7a7e37
ppc64le is not multilib arch ( #1584994 )
2018-06-04 12:24:19 +02:00
Tomas Mraz
08db5cbcb9
fix regression of c_rehash ( #1562953 )
2018-04-03 13:03:32 +02:00
Tomas Mraz
5a93773172
fix FIPS symbol versions
2018-03-29 18:13:54 +02:00
Tomas Mraz
c6d0704d87
Add missing build dependencies.
2018-03-29 16:40:14 +02:00
Tomas Mraz
6eb8f62027
update to upstream version 1.1.0h
...
Add Recommends for openssl-pkcs11
2018-03-29 15:44:09 +02:00
Tomas Mraz
6d92af0099
one more try to apply RPM_LD_FLAGS properly ( #1541033 )
...
dropped unneeded starttls xmpp patch (#1417017 )
2018-02-23 17:01:58 +01:00
Igor Gnatenko
e688115b6d
Remove %clean section
...
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 09:56:41 +01:00
Fedora Release Engineering
3a05f1f46a
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-08 17:49:45 +00:00
Tomas Mraz
c11b1341c5
apply RPM_LD_FLAGS properly ( #1541033 )
2018-02-01 18:07:30 +01:00
Tomas Mraz
899f2baacb
silence the .rnd write failure as that is auxiliary functionality ( #1524833 )
2018-01-11 18:08:54 +01:00
Tomas Mraz
f20f5f466f
put the Makefile.certificate in pkgdocdir and drop the requirement on make
2017-12-14 16:26:05 +01:00
Tomas Mraz
e85d72778f
update to upstream version 1.1.0g
2017-11-03 16:57:03 +01:00
Fedora Release Engineering
50c1418e79
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
2017-08-03 04:36:41 +00:00
Fedora Release Engineering
c68da76796
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
2017-07-27 01:53:35 +00:00
Tomas Mraz
790567dc64
make s_client and s_server work with -ssl3 option ( #1471783 )
2017-07-17 15:05:28 +02:00
Petr Písař
f852080c72
perl dependency renamed to perl-interpreter < https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules >
2017-07-13 11:16:32 +02:00
Tomas Mraz
7b595774f0
disable verification of all insecure hashes
2017-06-26 16:28:56 +02:00
Tomas Mraz
226b42827c
make DTLS work ( #1462541 )
2017-06-23 17:04:24 +02:00
Tomas Mraz
81258b6d2a
enable 3DES SSL ciphersuites, RC4 is kept disabled ( #1453066 )
2017-06-15 15:17:26 +02:00
Tomas Mraz
6b68d87d06
only release thread-local key if we created it (from upstream) ( #1458775 )
2017-06-05 17:20:12 +02:00
Tomas Mraz
1ff978b22e
update to upstream version 1.1.0f
...
SRP and GOST is now allowed, note that GOST support requires
adding GOST engine which is not part of openssl anymore
2017-06-02 15:32:15 +02:00